Various means are used for secure protected electronic communication (authentication) which offer various levels of security, i.e. various levels of resilience against misuse by an unauthorised person. To enhance security, various methods are used which are directed against various methods of possible abuse. The main risks of abuse of authentication means used in electronic communication include gaining access to these means or to the secret information used by such means for authentication.
A very widespread method of authentication by means of login and password entered by the user is very sensitive to the situation where the attacker succeeds in gaining information about the password used. The attacker can do this, e.g. by observing the keyboard used by the user for entering the password, tracing communication in the data network where the password is transferred, reading information from the database of the service provider which is used for checking passwords or by fraudulently acquiring the password from the user (phishing).
A plurality of authentication factors is used to reduce the risks related to misuse of authentication means. Instead of cracking just one authentication factor, the attacker must crack all the authentication factors used. Smart payment cards represent a very well-known and widespread two-factor authentication means. The user has a chip card which functions only if a PIN (secret number) is entered. The attacker must acquire the payment card and guess or otherwise obtain the PIN in order to misuse the card.
Specially designed devices are used to reduce the risks associated with the abuse of authentication means; these devices provide enhanced protection to the secret information used for authentication which is stored on the authentication means. This reduces the risk of the attacker getting hold of such information by reading information from a (local or remote) authentication device. Examples include specialised authentication tokens and calculators and smart cards and USB token with a built-in smart chip.
As a rule, the safer an authentication solution is, the more complexity and user complicacy it involves. To address this, there exist solutions that risk possible copying of secret information used by the attacker for authentication to reduce the costs of using such authentication means, complexity for the user and demands on special knowledge and skills normally required by specialised devices. An example is installing an authentication X.509 certificate (with a private key) on a PC disk or on a common USB memory token.
The solutions used in practice have numerous disadvantages leading either to a low security, i.e. greater chances for attackers to abuse such authentication means, or to expensive and user-complex solutions that users are reluctant or unable to use.
The disadvantages of the existing solutions include the fact that the protection against abuse is a default part of the relevant authentication means and is used independently of the level of security that would be commensurate to the specific use of the authentication means at the given moment. As a result, the authentication either lacks security in case of use with high security level requirements if the criterion of comfort for the client of the electronic service prevails, or the authentication means are unreasonably complicated to operate when used for services with usual security level requirements and thus not acceptable for the user.
The disadvantages of such solutions also include the fact that the second and any further factor is evaluated directly by the authentication device before the actual authentication begins. An attacker may acquire the device and find ways of bypassing its protective mechanisms. The attacker either bypasses the necessity to use the second factor or has a sufficient number of guesses or finds another way of obtaining information about the second factor from the authentication device.
In addition, the user must use several different authentication means for different services, which complicates the security procedures, reduces the overall security of electronic communication and electronic services and, ultimately, increases the costs.